Nearly 2,000 internet-exposed Apache Superset servers used by government entities, corporations, universities, and others are at risk of authentication bypass and remote code execution attacks due to the servers' use of the default Flask Secret Key for authentication session cookie signing, BleepingComputer reports.
Such insecure configuration could enable threat actors to leverage the key for forging session cookies to allow administrator privileges in servers with unchanged keys but servers without the default key are not at risk, according to a Horizon3 report.
"We are not disclosing any exploit methods at this time, though we think it'll be straightforward for interested attackers to figure it out," said Horizon3.
Apache's security team was first alerted regarding the flaw on October 2021, with a new version of the software replacing the default key released on January 2022.
However, persistent misconfigurations prompted Horizon3 to notify Apache in February, with the company issuing a new software version preventing startups in servers using the default key earlier this month.